View
226
Download
0
Category
Preview:
Citation preview
Exploiting Active Directory Administrator Insecurities
Sean Metcalf (@Pyrotek3)
s e a n @ adsecurity . orgwww.ADSecurity.org
ABOUT
• Founder Trimarc (Trimarc.io), a professional services company that helps organizations better secure their Microsoft platform, including the Microsoft Cloud.
• Microsoft Certified Master (MCM) Directory Services
• Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon
• Security Consultant / Researcher
• Active Directory Enthusiast - Own & Operate ADSecurity.org(Microsoft platform security info)
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
AGENDA
•Evolution of Admin Discovery
•Exploiting Typical Administration
•Multi-Factor Authentication (MFA)
•Password Vaults
•Admin Forest
•Attacking RODCs
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
The Evolution of Admin Discovery
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering AD Admins
Enumerate the membership of “Domain Admins”
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Only looking at Domain Admin Membership?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What are we missing?
•Domain Admins group membership: 6
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What are we missing?
•Domain Admins group membership: 6
•Administrators group membership: 20
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What are we missing?
•Domain Admins group membership: 6
•Administrators group membership: 20
Domain Admins is a member of Administrators
DA gets full AD admin rights & full DC admin rights from the Administrators group
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What if we see this?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discover all accounts with AdminCount = 1
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discover all accounts with AdminCount = 1
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Note: This only shows potential AD admins in this domain
What if our tool isn’t multi-domain or multi-forest capable?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What if our tool isn’t multi-domain or multi-forest capable?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering Hidden Admin & AD Rights
• Review settings in GPOs linked to Domain Controllers
• The “Default Domain Controllers Policy” GPO (GPO GUID 6AC1786C-016F-11D2-945F-00C04FB984F9) typically has old settings.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering Hidden Admin & AD Rights
• Review settings in GPOs linked to Domain Controllers
• The “Default Domain Controllers Policy” GPO (GPO GUID 6AC1786C-016F-11D2-945F-00C04FB984F9) typically has old settings.
• User Rights Assignments in these GPOs are hidden gold.
• These are rarely checked…
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Allow Log On LocallyDefault Groups:
• Account Operators
• Administrators
• Backup Operators
• Print Operators
• Server Operators
Additional Groups:
• Lab Admins
• Server Tier 3
• Domain Users
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Allow Log On LocallyDefault Groups:
• Account Operators
• Administrators
• Backup Operators
• Print Operators
• Server Operators
Additional Groups:
• Lab Admins
• Server Tier 3
•Domain Users
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What If We Can Gain Remote “Local” Access?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What If We Can Gain Remote “Local” Access?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf
HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54.
The vulnerability affects all HP iLO 4 servers running firmware version 2.53 and before. Other iLO generations, like iLO 5, iLO 3, and more are not affected.
https://www.bleepingcomputer.com/news/security/you-can-bypass-authentication-on-hpe-ilo4-servers-with-29-a-characters/
HP ILO Vulnerability CVE-2017-12542
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf
HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54.
The vulnerability affects all HP iLO 4 servers running firmware version 2.53 and before. Other iLO generations, like iLO 5, iLO 3, and more are not affected.
https://www.bleepingcomputer.com/news/security/you-can-bypass-authentication-on-hpe-ilo4-servers-with-29-a-characters/
HP ILO Vulnerability CVE-2017-12542
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf
HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54.
The vulnerability affects all HP iLO 4 servers running firmware version 2.53 and before. Other iLO generations, like iLO 5, iLO 3, and more are not affected.
https://www.bleepingcomputer.com/news/security/you-can-bypass-authentication-on-hpe-ilo4-servers-with-29-a-characters/
HP ILO Vulnerability CVE-2017-12542
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Allow Log On Locally + RDP Logon = DC Fun!
Allow Log On Locally
• Account Operators• Administrators• Backup Operators• Print Operators• Server Operators• Lab Admins• Domain Users• Server Tier 3
Allow Log On Through Terminal Services
• Administrators• Server Tier 3
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Allow Log On Locally + RDP Logon = DC Fun!
Allow Log On Locally
• Account Operators• Administrators• Backup Operators• Print Operators• Server Operators• Lab Admins• Domain Users• Server Tier 3
Allow Log On Through Terminal Services
• Administrators• Server Tier 3
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Allow Log On Locally + RDP Logon = DC Fun!
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Manage Auditing & Security LogDefault Groups:
• Administrators
• [Exchange]
Additional Groups:
• Lab Admins
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Enable Computer & User Accounts to be Trusted for Delegation
•Administrators
• Lab Admins
• Server Tier 3
* The user or machine object that is granted this right must have write access to the account control flags.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Identifying Admin Restrictions
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
The Evolution of Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where We Were• In the beginning, there were admins everywhere.
• Sometimes, user accounts were Domain Admins.
• Every local Administrator account has the same name & password.
• Some environments had almost as many Domain Admins as users.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where We WereThis resulted in a target rich environment with multiple paths to exploit.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Traditional methods of administration are trivial to attack and compromise due to admin credentials being available on the workstation.
Where We Were: “Old School Admin Methods”
• Logon to workstation as an admin • Credentials in LSASS.
•RunAs on workstation and run standard Microsoft MMC admin tools ("Active Directory Users & Computers“) • Credentials in LSASS.
•RDP to Domain Controllers or Admin Servers to manage them• Credentials in LSASS on remote server.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where We Were: “Old School Admin Methods”
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where Are We Now: Newer “Secure" Admin Methods
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where Are We Now: Newer “Secure" Admin Methods
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where Are We Now: Newer “Secure" Admin Methods
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where Are We Now: Newer “Secure" Admin Methods
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Where Are We Now: Newer “Secure" Admin Methods
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
What About MFA?Let’s MFA that RDP
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Multi-Factor Authentication
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Multi-Factor Authentication
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Fun with MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Fun with MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Fun with MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Fun with MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Fun with MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Fun with MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFAWhat if an attacker could bypass MFA without anyone noticing?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFAACME has enabled users to update several attributes through a self-service portal.
• These attributes include:• Work phone number
• Work address
• Mobile number
• Org-specific attributes
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFAACME has enabled users to update several attributes through a self-service portal.
• These attributes include:• Work phone number
• Work address
• Mobile number
• Org-specific attributes
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFAACME has enabled users to update several attributes through a self-service portal.
• These attributes include:• Work phone number
• Work address
• Mobile number
• Org-specific attributes
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFA through SMS
Summary
• Company uses self-service to enable users to update basic user information attributes.
• Attacker compromises user account/workstation and performs self-service update of Mobile/Cell Phone Number to one the attacker controls.
• Attacker compromises admin user name & password
• Attacker leverages “backdoor” SMS/text message for MFA to use admin credentials.
• Game over.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Subverting MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://www.n00py.io/2018/08/bypassing-duo-two-factor-authentication-fail-open/
Subverting MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://www.n00py.io/2018/08/bypassing-duo-two-factor-authentication-fail-open/
Subverting MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://www.n00py.io/2018/08/bypassing-duo-two-factor-authentication-fail-open/
Subverting MFA
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://www.n00py.io/2018/08/bypassing-duo-two-factor-authentication-fail-open/
MFA Onboarding
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Customer MFA Recommendations• Yes, use MFA!• Don’t rely on MFA as the primary method to protect admin
accounts.• Use hardware tokens or App & disable SMS (when possible).• Ensure all MFA users know to report anomalies. • Research “Fail Closed” configuration on critical systems like
password vaults and admin servers.• Remember that once an attacker has AD Admin credentials,
MFA doesn’t really stop them.• Better secure the MFA on-boarding/updating process.• Identify potential bypass methods & implement
mitigation/detection.Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Typical Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
From AD Adminaccount name & PW → DCSync
There’s Something About Password Vaults
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Enterprise Password Vault
•Being deployed more broadly to improve administrative security.
• Typically CyberArk or Thycotic SecretServer.
• “Reconciliation” DA account to bring accounts back into compliance/control.
•Password vault maintains AD admin accounts.
•Additional components to augment security like a “Session Manager”.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Enterprise Password Vault
Password Vault Option #1: Check Out Credential
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
Password Vault
AdminServer
Enterprise Password Vault
Password Vault Option #1: Check Out Credential
•Connect to Password Vault & Check Out Password (Copy).
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPS Password Vault
AdminServer
Enterprise Password Vault
Password Vault Option #1: Check Out Credential
•Connect to Password Vault & Check Out Password (Copy).
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPS Password VaultPassword
AdminServer
Enterprise Password Vault
Password Vault Option #1: Check Out Credential
•Connect to Password Vault & Check Out Password (Copy).
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPS Password VaultPassword
PW
AdminServer
Enterprise Password Vault
Password Vault Option #1: Check Out Credential
•Connect to Password Vault & Check Out Password (Copy).
•Paste Password into RDP Logon Window
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPS Password Vault
AdminServer
RDP
Password
PW
Attacking Enterprise Password Vault
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Attacking Enterprise Password Vault
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Attacking Enterprise Password Vault
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Attacking Enterprise Password Vault
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Attacking Enterprise Password Vault
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Attacking Enterprise Password Vault
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Attacking Enterprise Password Vault
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation Password Vault
AdminServer
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPSPassword
Vault
AdminServer
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPSPassword
VaultRDP
AdminServer
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPSPassword
VaultRDP
What account is used to log on
here?
AdminServer
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPSPassword
VaultRDP
What account is used to log on
here?
What account is used to log on
here?
AdminServer
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPSPassword
VaultRDP
What account is used to log on
here?
What account is used to log on
here?
Is MFA used?
AdminServer
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPSPassword
VaultRDP
What account is used to log on
here?
What account is used to log on
here?
Is MFA used?
Who administers this server?
AdminServer
Enterprise Password Vault
Password Vault Option #2: RDP Proxy
•Password vault as the "jump" system to perform administration with no knowledge of account password.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Workstation
HTTPSPassword
VaultRDP
What account is used to log on
here?
What account is used to log on
here?
Is MFA used?
Who administers this server?
Are network comms limited to the PV
AdminServer
Compromise the User’s Web Browser
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Compromise the User’s Web Browser
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Compromise the User’s Web Browser
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploit Password Vault Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Password Vaults on the Internet
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Password Vaults on the Internet
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Password Vault Config Weaknesses
• Authentication to the PV webserver is typically performed with the admin’s user account.
• Connection to the PV webserver doesn’t always require MFA.
• The PV servers are often administered like any other server.
• Anyone on the network can send traffic to the PV server (usually).
• Sessions aren’t always limited creating an opportunity for an attacker to create a new session.
• Combining the PV web server & password management system increases risk.
• Vulnerability in PV can result in total Active Directory compromise.Sean Metcalf | @PyroTek3 | sean@adsecurity.org
CyberArk RCE Vulnerability (April 2018)• CVE-2018-9843:
“The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.”
• Access to this API requires an authentication token in the HTTP authorization header which can be generated by calling the “Logon” API method.
• Token is a base64 encoded serialized .NET object ("CyberArk.Services.Web.SessionIdentifiers“) and consists of 4 string user session attributes.
• The integrity of the serialized data is not protected, so it’s possible to send arbitrary .NET objects to the API in the authorization header.
• By leveraging certain gadgets, such as the ones provided by ysoserial.net, attackers may execute arbitrary code in the context of the web application.
https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
CyberArk RCE Vulnerability
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
What about Admin Forest?(aka Red Forest)
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Admin Forest = Enhanced Security Administrative Environment (ESAE)
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Admin Forest Discovery Forest Discovery
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Admin Forest Discovery Forest Discovery
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Admin Forest Discovery Forest Discovery
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Admin Forest Discovery Forest Discovery
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Admin Forest Discovery Forest Discovery
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Domain Controller Agents
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Domain Controller Agents
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Domain Controller Agents
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
• Backup01 is a backup server with AD Backup rights.• BackupAD is the AD backup service account.
Exploiting Domain Controller Agents
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
• Backup01 is a backup server with AD Backup rights.• BackupAD is the AD backup service account.
Compromise one to gain Domain Controller access.
Did You Know?
• The Splunk Universal Forwarder is often installed on Domain Controller.
• The Splunk UF is effectively a mini version of Splunk and can run scripts.
https://conf.splunk.com/files/2016/slides/universal-forwarder-security-dont-input-more-than-data-into-your-splunk-environment.pdf
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Exploiting Prod AD with an AD Admin Forest• AD admin accounts are moved to the admin forest, but not
everything.• Doesn’t fix production AD issues.• Doesn’t resolve expansive rights over workstations & servers.• Deployments often ignore the primary production AD since all
administrators of the AD forest are moved into the Admin Forest.• They often don't fix all the issues in the production AD.• They often ignore production AD service accounts.• Agents on Domain Controllers are a target – who has admin
access?• Identify systems that connect to DCs with privileged credentials on
DCs (backup accounts).
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Cross-Forest Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Forest A
Forest B
Cross-Forest Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Forest A
Forest B
Trust
Cross-Forest Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Forest A
Forest B
Trust
Forest A Domain Admin Account
RDP
Cross-Forest Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Forest A
Forest B
Trust
Forest A Domain Admin Account
RDP
Cross-Forest Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Forest A
Forest B
Trust
Forest A Domain Admin Account
RDP
Cross-Forest Administration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Forest A
Forest B
Trust
Forest A Domain Admin Account
RDP
Result: Full Compromise of the Production Active Directory
Cross-Forest Administration
• Production (Forest A) <--one-way--trust---- External (Forest B)
• Production forest AD admins manage the External forest.
• External forest administration is done via RDP.
• Production forest admin creds end up on systems in the External forest.
• Attacker compromises External to compromise Production AD.
Mitigation:
• Manage External forest with External admin accounts.
• Use non-privileged Production forest accounts with External admin rights.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Attacking Read-Only Domain Controllers (RODCs)“But it’s ‘read-only’!”
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering RODCs
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering RODCs
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering RODCs
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Typical RODC Deployment Issues
•RODCs cache more passwords than actually required.
• RODCs are typically administered by a “RODC admins” group which is not typically well protected.
•DSRM passwords may be set the same on DCs and RODCs.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Typical RODC Deployment Issues• RODCs cache more passwords than actually required, providing a
potential escalation path -compromise the RODC to compromise additional accounts. In this scenario, the RODC acts as kind of a Junior DC since it contains a subset of domain account passwords.
• RODCs are typically administered by a “RODC admins” group which is not typically well protected. Often the RODC admin group contains server administrators and potentially regular user accounts. The accounts in the RODC admin group(s) are often allowed to be cached on the RODC to enable administration if a DC cannot be contacted to authenticate them.
• DSRM passwords may be set the same on DCs and RODCs.If the organization has configured the Directory Services Restore Mode (DSRM) password to change (and they should), they may not have configured a different process for RODCs, potentially setting the same DSRM password on RODCs and DCs.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC Attributes
• msDS-Reveal-OnDemandGroupContains the distinguished name (DN) of the Allowed List. Members of the Allowed List are permitted to replicate to the RODC.
• msDS-NeverRevealGroupPoints to the distinguished names of security principals that are denied replication to the RODC.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC Attributes
• msDS-RevealedListList of security principals whose passwords have ever been replicated to the RODC.
• msDS-AuthenticatedToAccountListThis attribute contains a list of security principals in the local domain that have authenticated to the RODC.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC Password Replication Policy
• Password Replication Policy controls what password data is replicated to RODCs.
• Allowed RODC Password Replication Group: Added to the msDS-Reveal-OnDemandGroup.
• Denied RODC Password Replication Group: Added to the msDS-NeverRevealGroup.
• Domain password data not placed on RODCs by default.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC Administrator Role Separation (ARS)
•RODC administration can be delegated.
•RODC administrator is not a Domain Admin.
• Full administrator on the RODC.
•Can modify SYSVOL, but RODC SYSVOL changes are not replicated.
•RODC administrators should be in the “Allowed RODC Password Replication Group”.
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC Administration Configuration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC Administration Configuration
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC Attributes
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering RODC Admins
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Discovering RODC Admins
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Account Password Caching on RODCs
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Account Password Caching on RODCs
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Enumerating RODC msds-RevealUsers• B:96:A000090002000000673C531003000000B2D8290BE48E5C40A6ACCB
A445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org
• B:96:7D00090001000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7E3B0000000000007E3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org
• B:96:5E00090002000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org
• B:96:5A00090002000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org
• B:96:3700090002000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC msds-RevealUsers
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC msds-RevealUsers
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Cached Service Account Password
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
We gained “Server Admin” through a user accountWhat else can we get?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC msds-RevealUsers
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
RODC msds-RevealUsers
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
From RODC to Silver Ticket
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Since the Admin Server Computer Password Was on the RODC, We Now Own that ServerWhat else can we get?
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
From RODC to DC using DSRM
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
Sean Metcalf (@Pyrotek3)s e a n @ adsecurity . org
www.ADSecurity.orgTrimarcSecurity.com
Slides: Presentations.ADSecurity.org
Sean Metcalf | @PyroTek3 | sean@adsecurity.org
• Ensure you are discovering all AD admins by recursively enumerating the domain Administrators group.
• Corelate the user to admin account and the workstation the admin uses.
• Determine if MFA is used, if so try to identify onboarding process & look for dependencies.
• Check for enterprise password vaults.
• RODCs are rarely deployed in a secure manner.
Recommendations
Recommended